home

12372474-663b-41c3-9c07-412bc6d2e35a-10.exe

SavePass 1.1

OB

The application 12372474-663b-41c3-9c07-412bc6d2e35a-10.exe has been detected as adware by 21 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
OB

Product:
SavePass 1.1

Description:
SavePass 1.1 exe

Version:
1000.1000.1000.1000

MD5:
2a7102414862fbcace0e7a29264b817a

SHA-1:
d101437344013bc7785c69bdf344b7d5b5834563

SHA-256:
2ee963f5c7337559482ea82acda9a918e0c8d672f8591db5283932c9b7c14c2f

Scanner detections:
21 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/26/2024 12:07:09 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Strictor.93469
518

AhnLab V3 Security
PUP/Win32.CrossRider
2015.09.05

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.2.2

Arcabit
Trojan.Adware.Strictor.D16D1D
1.0.0.425

avast!
Win32:Adware-CMH [PUP]
2014.9-150904

AVG
Generic_r
2016.0.2996

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.1594

Bitdefender
Gen:Variant.Adware.Strictor.93469
1.0.20.1235

Comodo Security
Application.Win32.CrossRider.ALO
23169

Dr.Web
Trojan.Crossrider1.42770
9.0.1.0251

Emsisoft Anti-Malware
Gen:Variant.Adware.Strictor.93469
8.15.09.04.03

ESET NOD32
Win32/Toolbar.CrossRider.CD potentially unwanted (variant)
9.12202

F-Secure
Gen:Variant.Adware.Strictor
11.2015-04-09_6

G Data
Gen:Variant.Adware.Strictor.93469
15.9.25

Kaspersky
not-a-virus:HEUR:WebToolbar.Win32.CrossRider
14.0.0.1477

Malwarebytes
PUP.Optional.SavePass
v2015.09.04.03

MicroWorld eScan
Gen:Variant.Adware.Strictor.93469
16.0.0.741

Reason Heuristics
Adware.Crossrider (M)
15.9.4.15

Rising Antivirus
PE:Trojan.GoogUpdate!6.1E39[F1]
23.00.65.15902

Sophos
AppRider (PUA)
4.98

SUPERAntiSpyware
Adware.CrossRider/Variant
9650

File size:
1.2 MB (1,220,096 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
SavePass 1.1.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\savepass 1.1\12372474-663b-41c3-9c07-412bc6d2e35a-10.exe

File PE Metadata
Compilation timestamp:
9/4/2015 10:05:17 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:N+dyr2X5nYGx7lRC+NqUyF3r+5Zy08Ew87TGpS66xyEwcH2BbqAKU:kkq3q+byQi08Ew87TGpS6UCcH2BbvKU

Entry address:
0x9A33D

Entry point:
E8, D3, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B8, F9, 50, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 58, C1, 50, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B8, F9, 50, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8...
 
[+]

Entropy:
6.4459

Code size:
768 KB (786,432 bytes)

Scheduled Task
Task name:
12372474-663b-41c3-9c07-412bc6d2e35a-10_user

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.49.66:80)

TCP (HTTP):
Connects to ec2-50-16-231-217.compute-1.amazonaws.com  (50.16.231.217:80)

TCP (HTTP):
Connects to ec2-23-21-174-210.compute-1.amazonaws.com  (23.21.174.210:80)

Remove 12372474-663b-41c3-9c07-412bc6d2e35a-10.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.